Security Bulletin: IBM Db2® Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548

Summary

Node.js open source library used by IBM Db2® Graph is affected by vulnerability CVE-2022-43548. The fix updates Node.js to 18.12.1

Vulnerability Details

CVEID:CVE-2022-43548
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by an insufficient IsAllowedHost check. By sending a specially-crafted DBS request using an invalid octal address, an attacker could exploit this vulnerability to conduct a DNS rebinding attack and execute arbitrary commands on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241552 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All platforms of the following IBM® Db2® Graph levels are affected:

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to the latest IBM® Db2® Graph release containing the fix for these issues.

1.0.0.1477-amd64

1.0.0.1514-amd64

latest-amd64

1.0.0.1477-ppcle

1.0.0.1514-ppcle

latest-ppcle

1.0.0.1477-s390x

1.0.0.1514-s390x

latest-s390x

Follow the instructions below to setup IBM Db2 Graph

<https://www.ibm.com/docs/en/db2/11.5?topic=graph-setting-up-db2&gt;

Workarounds and Mitigations

None